Google Researcher Says Adobe Downplays Security Holes

Adobe released its August software patches on Tuesday and immediately found itself in hot water with Google researcher Tavis Ormandy, who claims the firm is downplaying the extent of security flaws in its products.

The release prompted a rare rebuke from famed Google security researcher Tavis Ormandy, who alleged that Adobe was downplaying the number of vulnerabilities addressed in one of the patches: APSB11-21. According to Ormandy, that patch actually covered an astounding 400 separate vulnerabilities, rather than the 13 identified by Adobe.

According to Adobe, the APSB11-21 patch covers a range of vulnerabilities in Adobe’s Flash Player and Adobe Air for all supported platforms. Those include buffer and integer overflows in Flash Player and Air, along with other memory corruption problems. It is rated critical, with the holes making Flash and Air vulnerable to attacks that could crash the applications and allow an attacker to take control of the affected system, Adobe warned.

Adobe spokeswoman Wiebke Lips said that Ormandy’s Twitter communication was not coordinated with Adobe, but acknowledged that Google and Adobe are engaged in a “joint engineering effort,” but that “the total number of unique bugs discussed as part of that project is far less than the number Tavis provided in his tweet.”

The difference between Ormandy and Adobe may hang on the term “unique bugs.” Researchers have speculated that Ormandy may be referring to the outcome of so-called “fuzzing” of Adobe’s software, versus fixes that can be leaked to specific vulnerabilities, as identified by CVE numbers.

Adobe said, through its spokeswoman, that the company makes a policy of not disclosing details about internal findings in security bulletins. “Adobe has an ongoing cooperation with Google, and we greatly appreciate the assistance of the Google Chrome team on this and other projects that are part of this cooperation,” the spokeswoman wrote.

In an e-mail to Threatpost, Lips said that Adobe treats the outcome of joint engineering projects with Google and other vendors as “internal findings, (the) details of which are not disclosed in our security bulletins.” In other words: Adobe was under no obligation to reveal everything that internal tests uncovered – just fixes for vulnerabilities that had already been publicly identified. “There were no expectations in our coordinated communication with Google that details of this project beyond the acknowledgement we provided in the bulletin would be disclosed,”she wrote.

Dennis Fisher talks with Chris Valasek of IOActive about the new research he did with Charlie Miller on remotely hacking a Jeep, how the disclosure process worked, what auto makers can do to secure their vehicles’ on-board systems, and how much of a threat these attacks pose to drivers.

In the second quarter of 2015 Kaspersky Lab solutions detected and repelled a total of 379,972,834 malicious attacks from online resources. There were 5,903,377 registered notifications about attempte...

Innovative technologies are conquering the financial market, opening up new opportunities for startups. The volume of investment in projects for the banking sector is constantly growing, as is its pot...